Compare commits
No commits in common. "519858db1d963ab7f534543ed9edefcf2a5830cc" and "1c47d232dacce2ad30a455aada55ddf70207dc32" have entirely different histories.
519858db1d
...
1c47d232da
@ -45,11 +45,6 @@
|
||||
- name: "Include ednz_cloud.hashistack.vault"
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.hashistack.vault
|
||||
vars:
|
||||
vault_enable_auto_unseal: true
|
||||
vault_unseal_url: "{{ vault_configuration['api_addr'] }}"
|
||||
vault_unseal_tls_verify: false
|
||||
vault_unseal_keys: "{{ _credentials.vault['keys'] | default([]) }}"
|
||||
|
||||
- name: "Vault | Initialize vault cluster" # noqa: run-once[task]
|
||||
ednz_cloud.hashistack.vault_init:
|
||||
|
@ -11,11 +11,11 @@ module: ednz_cloud.hashistack.consul_acl_bootstrap
|
||||
|
||||
short_description: Bootstraps ACL for a Consul cluster.
|
||||
|
||||
version_added: "0.1.0"
|
||||
version_added: "1.0.0"
|
||||
|
||||
description:
|
||||
- This module bootstraps ACL (Access Control List) for a Consul cluster. It performs the ACL bootstrap operation,
|
||||
creating the initial tokens needed for secure communication within the cluster.
|
||||
creating the initial tokens needed for secure communication within the cluster.
|
||||
|
||||
options:
|
||||
api_addr:
|
||||
@ -40,10 +40,10 @@ author:
|
||||
EXAMPLES = r"""
|
||||
# Example: Bootstrap ACL for a Consul cluster
|
||||
- name: Bootstrap ACL for Consul cluster
|
||||
ednz_cloud.hashistack.consul_acl_bootstrap:
|
||||
api_addr: 127.0.0.1
|
||||
scheme: http
|
||||
port: 8500
|
||||
ednz_cloud.hashistack.consul_acl_bootstrap:
|
||||
api_addr: 127.0.0.1
|
||||
scheme: http
|
||||
port: 8500
|
||||
"""
|
||||
|
||||
RETURN = r"""
|
||||
|
@ -60,15 +60,15 @@ state:
|
||||
type: dict
|
||||
returned: always
|
||||
sample:
|
||||
- AccessorID: "b780e702-98ce-521f-2e5f-c6b87de05b24",
|
||||
- SecretID: "3f4a0fcd-7c42-773c-25db-2d31ba0c05fe",
|
||||
- Name: "Bootstrap Token",
|
||||
- Type: "management",
|
||||
- Policies: null,
|
||||
- Global: true,
|
||||
- CreateTime: "2017-08-23T22:47:14.695408057Z",
|
||||
- CreateIndex: 7,
|
||||
- ModifyIndex: 7
|
||||
- AccessorID: "b780e702-98ce-521f-2e5f-c6b87de05b24",
|
||||
- SecretID: "3f4a0fcd-7c42-773c-25db-2d31ba0c05fe",
|
||||
- Name: "Bootstrap Token",
|
||||
- Type: "management",
|
||||
- Policies: null,
|
||||
- Global: true,
|
||||
- CreateTime: "2017-08-23T22:47:14.695408057Z",
|
||||
- CreateIndex: 7,
|
||||
- ModifyIndex: 7
|
||||
"""
|
||||
|
||||
from ansible.module_utils.basic import AnsibleModule
|
||||
|
@ -11,13 +11,11 @@ module: ednz_cloud.hashistack.vault_init
|
||||
|
||||
short_description: Manages the initialization of HashiCorp Vault.
|
||||
|
||||
version_added: "0.1.0"
|
||||
|
||||
description:
|
||||
- This module initializes HashiCorp Vault, ensuring that it is securely set up for use.
|
||||
|
||||
requirements:
|
||||
- C(hvac) (L(Python library,https://hvac.readthedocs.io/en/stable/overview.html))
|
||||
- C(hvac) (L(Python library,https://hvac.readthedocs.io/en/stable/overview.html))
|
||||
|
||||
options:
|
||||
api_url:
|
||||
|
@ -7,70 +7,66 @@ __metaclass__ = type
|
||||
|
||||
DOCUMENTATION = r"""
|
||||
---
|
||||
module: ednz_cloud.hashistack.vault_unseal
|
||||
module: my_test
|
||||
|
||||
short_description: Unseals a Vault cluster.
|
||||
short_description: This is my test module
|
||||
|
||||
version_added: "0.1.0"
|
||||
# If this is part of a collection, you need to use semantic versioning,
|
||||
# i.e. the version is of the form "2.5.0" and not "2.4".
|
||||
version_added: "1.0.0"
|
||||
|
||||
description:
|
||||
- This module unseals a Vault cluster by submitting the necessary unseal keys. It checks whether the Vault is sealed and performs the unseal operation if needed. The response will reflect the state after the last unseal key is submitted.
|
||||
|
||||
requirements:
|
||||
- C(hvac) (L(Python library,https://hvac.readthedocs.io/en/stable/overview.html))
|
||||
description: This is my longer description explaining my test module.
|
||||
|
||||
options:
|
||||
api_url:
|
||||
description: The URL of the Vault API.
|
||||
name:
|
||||
description: This is the message to send to the test module.
|
||||
required: true
|
||||
type: str
|
||||
tls_verify:
|
||||
description: Whether to verify TLS certificates.
|
||||
new:
|
||||
description:
|
||||
- Control to demo if the result of this module is changed or not.
|
||||
- Parameter description can be a list as well.
|
||||
required: false
|
||||
type: bool
|
||||
default: true
|
||||
key_shares:
|
||||
description: List of unseal keys required to unseal the Vault.
|
||||
required: false
|
||||
type: list
|
||||
default: []
|
||||
# Specify this value according to your collection
|
||||
# in format of namespace.collection.doc_fragment_name
|
||||
# extends_documentation_fragment:
|
||||
# - my_namespace.my_collection.my_doc_fragment_name
|
||||
|
||||
author:
|
||||
- Bertrand Lanson (@ednz_cloud)
|
||||
- Your Name (@yourGitHubHandle)
|
||||
"""
|
||||
|
||||
EXAMPLES = r"""
|
||||
# Example: Unseal a Vault cluster
|
||||
- name: Unseal Vault cluster
|
||||
ednz_cloud.hashistack.vault_unseal:
|
||||
api_url: "https://127.0.0.1:8200"
|
||||
tls_verify: true
|
||||
key_shares:
|
||||
- "key1"
|
||||
- "key2"
|
||||
- "key3"
|
||||
# Pass in a message
|
||||
- name: Test with a message
|
||||
my_namespace.my_collection.my_test:
|
||||
name: hello world
|
||||
|
||||
# Example: Unseal Vault cluster with no TLS verification
|
||||
- name: Unseal Vault cluster without TLS verification
|
||||
ednz_cloud.hashistack.vault_unseal:
|
||||
api_url: "https://127.0.0.1:8200"
|
||||
tls_verify: false
|
||||
key_shares:
|
||||
- "key1"
|
||||
- "key2"
|
||||
# pass in a message and have changed true
|
||||
- name: Test with a message and changed output
|
||||
my_namespace.my_collection.my_test:
|
||||
name: hello world
|
||||
new: true
|
||||
|
||||
# fail the module
|
||||
- name: Test failure of the module
|
||||
my_namespace.my_collection.my_test:
|
||||
name: fail me
|
||||
"""
|
||||
|
||||
RETURN = r"""
|
||||
state:
|
||||
description: Information about the state of the Vault unseal operation.
|
||||
type: dict
|
||||
# These are examples of possible return values, and in general should use other names for return values.
|
||||
original_message:
|
||||
description: The original name param that was passed in.
|
||||
type: str
|
||||
returned: always
|
||||
sample:
|
||||
sealed: true,
|
||||
t: 3,
|
||||
n: 5,
|
||||
progress: 2,
|
||||
version: "0.6.2"
|
||||
sample: 'hello world'
|
||||
message:
|
||||
description: The output message that the test module generates.
|
||||
type: str
|
||||
returned: always
|
||||
sample: 'goodbye'
|
||||
"""
|
||||
from ansible.module_utils.basic import AnsibleModule
|
||||
import traceback
|
||||
|
@ -42,15 +42,6 @@ vault_storage_configuration:
|
||||
file:
|
||||
path: "{{ vault_data_dir }}"
|
||||
|
||||
#############################
|
||||
# auto-unseal configuration #
|
||||
#############################
|
||||
|
||||
vault_enable_auto_unseal: false
|
||||
vault_unseal_url: "https://127.0.0.1:8200"
|
||||
vault_unseal_tls_verify: true
|
||||
vault_unseal_keys: []
|
||||
|
||||
##########################
|
||||
# listener configuration #
|
||||
##########################
|
||||
|
@ -36,10 +36,8 @@
|
||||
register: _vault_current_version
|
||||
|
||||
- name: "Vault | Download and install vault binary"
|
||||
when:
|
||||
- _vault_current_version is not defined
|
||||
or _vault_wanted_version != (_vault_current_version.content|default('')|b64decode)
|
||||
- not ansible_check_mode
|
||||
when: _vault_current_version is not defined
|
||||
or _vault_wanted_version != (_vault_current_version.content|default('')|b64decode)
|
||||
block:
|
||||
- name: "Vault | Set vault package name to download"
|
||||
ansible.builtin.set_fact:
|
||||
@ -79,6 +77,7 @@
|
||||
until: _vault_binary_archive is succeeded
|
||||
retries: 5
|
||||
delay: 2
|
||||
check_mode: false
|
||||
|
||||
- name: "Vault | Create temporary directory for archive decompression"
|
||||
ansible.builtin.file:
|
||||
|
@ -36,10 +36,8 @@
|
||||
when: _vault_service_need_reload
|
||||
|
||||
- name: "Vault | Start service: {{ vault_service_name }}"
|
||||
ansible.builtin.include_tasks: rolling_restart.yml
|
||||
when:
|
||||
- _vault_service_need_restart
|
||||
- "hostvars[host_item].inventory_hostname == inventory_hostname"
|
||||
with_items: "{{ ansible_play_batch }}"
|
||||
loop_control:
|
||||
loop_var: host_item
|
||||
ansible.builtin.service:
|
||||
name: "{{ vault_service_name }}"
|
||||
state: restarted
|
||||
throttle: 1
|
||||
when: _vault_service_need_restart
|
||||
|
@ -5,13 +5,13 @@
|
||||
path: "{{ dir_source_item.dest }}"
|
||||
recurse: true
|
||||
state: directory
|
||||
mode: "0755"
|
||||
mode: "0775"
|
||||
|
||||
- name: "Vault | Create extra directory sources"
|
||||
ansible.builtin.file:
|
||||
path: "{{ dir_source_item.dest }}/{{ item.path }}"
|
||||
state: directory
|
||||
mode: "0755"
|
||||
mode: "0775"
|
||||
with_community.general.filetree: "{{ dir_source_item.src }}/"
|
||||
when: item.state == 'directory'
|
||||
|
||||
|
@ -1,14 +0,0 @@
|
||||
---
|
||||
- name: "Vault | Start service: {{ vault_service_name }}"
|
||||
ansible.builtin.service:
|
||||
name: "{{ vault_service_name }}"
|
||||
state: restarted
|
||||
|
||||
- name: "Vault | Unseal node"
|
||||
ednz_cloud.hashistack.vault_unseal:
|
||||
api_url: "{{ vault_unseal_url }}"
|
||||
tls_verify: "{{ vault_unseal_tls_verify }}"
|
||||
key_shares: "{{ vault_unseal_keys }}"
|
||||
when:
|
||||
- vault_enable_auto_unseal
|
||||
- vault_unseal_keys|length > 0
|
Loading…
Reference in New Issue
Block a user